Gaming applications often use Random Number Generators and/or real-world data to produce draw results. For example, the draw results may identify outcomes in gaming applications such as lotto quick picks, slot machines, Keno, Internet gaming sites, and national draw game outcomes. Random Number Generators and/or real-world data may be used to produce a seed or series of seeds that are input into an algorithm to produce an output (i.e., draw result). The draw result is unpredictable so long as the input seed(s) remain unknown. Thus, for some gaming systems to remain secure, it is essential that the input seed(s) remain unknown and secure. However, conventional systems lack adequate security in maintaining the integrity of input seeds.
The logistical challenges of selecting draw game seed(s) that are random or at the very least previously unpredictable have proven daunting with numerous security breaches having been observed over the years. For example, the Internet site www.PlanetPoker.com publicly displayed its shuffling algorithm in an attempt to advertise how fair its game was to any interested players. However, in the publicly displayed source code, the call to its Random Number Generator (“RNG”) was included to produce a random deck before each deck was generated. This implementation, built with Delphi 4, seeds the RNG with the number of milliseconds since midnight according to the system clock of the host server. This means players outside of the organization could easily predict the output of the RNG. By synchronizing a player's personal computer clock with the clock on PlanetPoker.com, an outside computer program could calculate the exact shuffle. Thus, the outside player would know all the cards that have yet to appear, everyone's hand, and who will win. This fraud, while unintended by the operator, still allowed some outside players to gain an unfair advantage over others.
In addition to the seed(s) selection process, there have been security problems associated with the insertion of different seeds into an RNG, or for that matter, bypassing the RNG output altogether to produce a false drawing outcome. One example was with the IGT slot machine “Game King.” In 2009, a seven year old bug in the Game King slot machine was exploited that effectively allowed a user to bypass the machine's RNG output and replay winning hands. This bug exploitation resulted in over $1,000,000 in false winnings being awarded. Another example was in 1995 when a Nevada Gaming Control Board's (GCB's) staffer covertly reprogrammed the Erasable Programmable Read Only Memory (EPROM) in the prototype slot machines that he was auditing to include a backdoor Easter Egg that would trigger a jackpot upon a particular sequence of button presses. When these EPROMs were duplicated and put into production the staffer was able to trigger the jackpot Easter Egg at will and collect hundreds of thousands of dollars in illicit winnings. Even mechanical RNG systems have been subjected to fraudulent manipulation. For example, in 1980, the Pennsylvania Lottery daily number game ping pong ball drawing was rigged by subtlety increasing the weight of the drawing ping pong balls except for those numbered “4” and “6” with the actual compromised drawing result of “666.”
Some gains in RNG seed security have been realized by employing special purpose hardware RNG seed generators. For enhanced security, these special purpose hardware RNG seed generators also digitally sign the generated random number seeds that are created, thereby creating an audit path proving the authenticity of the RNG seed(s) so long as the special purpose hardware remains uncompromised. A technique for further enhancing the security by maintaining an RNG seed generation audit trail is taught in U.S. Pat. No. 7,892,087 (Hamman et. al.). As disclosed in Hamman et. al., employing a game server to generate random numbers or seeds separate from the client server (i.e., the server conducting the actual game preferably operated by a different entity) where the generated random numbers or seeds are stored in a digitally signed file that enables another level of forensic auditability, which further enhancing the integrity of the RNG drawing. Additionally, U.S. Pat. Nos. 6,477,251 and 6,934,846 (Szrek et. al.) teach using multiple processors in tandem to generate an auditable pseudorandom outcome. The '251 patent discloses utilizing multiple processors with associated individual logs to generate a random outcome, while the '846 patent discloses adding digital signatures as a form of authentication from a separate server. However, neither of the Szrek et. al. nor the Hamman et. al. patents address the vexing problem of malicious software potentially inserted by an insider programmer (e.g., the Nevada GCB staffer, fraudulent “Hot Lotto” $16.5 million drawing in 2010 and alleged fraudulent RNG drawings in Colorado, Oklahoma, Iowa, Kansas, and Wisconsin). Additionally, neither Szrek et. al. nor the Hamman et. al. discloses creating an audit trail to detect a malicious software drawing result in real-time.
U.S. Pat. Nos. 6,099,408 and 6,264,557 (Schneier et. al.) disclose combining random number selections from multiple entities where at least one entity commits to a random number selection by sending either a cryptographic hash or encrypted ciphertext of the random number selected before receiving the random number selection of the other entity. Schneier et. al. teaches combining the at least two random number selections in a manner that is “ . . . unique to the particular game selected.” ('557 patent, column 9, lines 45 through 48). Not only does this game unique combining methodology not ensure true randomness in the final composite drawing, it also leaves the system potentially vulnerable to one entity forcing an illicit drawing outcome with some gaming formats unless extreme care was exercised for each game unique combiner algorithm.
Finally, U.S. Pat. No. 8,016,662 (Hamman et. al.) teaches using publicly verifiable outcomes of non-deterministic events as seeds for random number drawings. While the usage of publicly-verifiable outcomes does tend to mitigate insider fraud, it usually has the disadvantages of: human (i.e., error prone) input, time synchronization with outside events, and possibly open network access to the RNG sever(s) thereby potentially exposing the servers to potential external hacking.
Therefore, it is highly desirable to develop methodologies correct the deficiencies of the previously discussed disclosures to ensure the integrity and security of RNG seed or number generation, particularly against malicious software.